A hypothetical

General technological topics without their own forum go here

A hypothetical

Post by Tharos on Sat Feb 22, 2014 10:54 am
([msg=79577]see A hypothetical[/msg])

Was running this through my mind for a while and thought I'd get some input. It's kind of a fun hypothetical, or so I think anyways.

Do you think it would be possible, assuming you were skilled enough, to take out a botnet? And if so, what would you think would be necessary to do so? Assuming of course you use any means, legal or otherwise.

I was running it through my head, trying to think of how one would go about doing it, and here's what I've come up with.

A server of yours is DDoSed by a botnet.
You examine the logs to see all incoming connections during that time, and write down some of the IP's that were part of it.
~lapse of thought here, since IP's aren't that useful for this, but whatever.~
Somehow using one of those IP's to actually find one of the physical computers that was part of this, And using any means necessary, gain root access of that computer.
Now, having experimented with rootkits before, legally of course, I know some type of rootkit is needed to use a computer as part of your botnet, and usually those have to have a port opened for them, so since you now have root access to one of those bots, do an NMAP to see which ports are opened on that machine. Obviously looking for any that seem out of the ordinary.
Assuming you find one, monitor it for any incoming traffic for a while to see if the controller of the botnet issues any commands. If he does, you should be able to get his IP, assuming he is not proxied.
Use similar means as earlier to gain access to his machine now.
Now you have root access to the machine that controls the botnet.
Use your imagination to decide what you plan to do with this power now. Good? Or evil?

Obviously this is a very rough sketch idea with many holes, but it's been kind of fun to think about.
So how do you think you might go about taking on a botnet?


Pretty sure I stayed within the rules here, make sure you guys do as well, no super specific instruction about how to do it, just a rough overview.
Tharos
New User
New User
 
Posts: 18
Joined: Mon Jan 04, 2010 2:11 am
Blog: View Blog (0)


Re: A hypothetical

Post by fashizzlepop on Sat Feb 22, 2014 2:00 pm
([msg=79580]see Re: A hypothetical[/msg])

A botnet controller doesn't usually (if ever) talk to the zombies directly. Most of the time the zombies will connect to an IRC server hosted somewhere. Then, the owner only has to connect to the IRC server to issue commands to all the zombies that are online.

The best way to find the IRC server is to reverse the malware and see what it connects to. Watching the channel for long enough should give you a good enough idea of what each command does. From there you'd have to try *very* hard to get to the owner. Chances are you won't.
The glass is neither half-full nor half-empty; it's merely twice as big as it needs to be.
User avatar
fashizzlepop
Developer
Developer
 
Posts: 2303
Joined: Sat May 24, 2008 1:20 pm
Blog: View Blog (0)


Re: A hypothetical

Post by -Ninjex- on Sat Feb 22, 2014 3:48 pm
([msg=79591]see Re: A hypothetical[/msg])

I agree with fas.
If the owner is smart, and they likely will be; their IP will be masked, preventing you from knocking them out of the chat with denial of service related attacks.
The owner could also be verifying that the commands are only coming from their nick while +r (recognized with nickserv). So this prevents any silly command like !login <password> potentially giving them away.

If you do find a server with a botnet, be sure you mask yourself correctly, and make yourself look like the rest of the bots. This would include things like /mode. Then you want to play the waiting game, and see how he/she has the C&C set up, what commands it offers, etc.
The last thing you want is to be revealed, and then knocked offline, as well as ruining your attack.

There also could be two or more masters, which could intensify the challenge much :D
image
For those that know
K: 0x2CD8D4F9
User avatar
-Ninjex-
Moderator
Moderator
 
Posts: 1691
Joined: Sun Sep 02, 2012 8:02 pm
Blog: View Blog (0)


Re: A hypothetical

Post by nightmair on Sat Feb 22, 2014 6:14 pm
([msg=79592]see Re: A hypothetical[/msg])

This hacker did something similar to what you described.
The article describes how he parsed his server's logs for bot attacks. Then he tracked them back to their origin and killed the botnet.

It doesn't seem like he took over the computers of the hackers as well, though.
nightmair
New User
New User
 
Posts: 4
Joined: Sat Aug 31, 2013 5:46 pm
Blog: View Blog (0)


Re: A hypothetical

Post by Tharos on Sun Feb 23, 2014 2:38 pm
([msg=79604]see Re: A hypothetical[/msg])

nightmair wrote:This hacker did something similar to what you described.
The article describes how he parsed his server's logs for bot attacks. Then he tracked them back to their origin and killed the botnet.

It doesn't seem like he took over the computers of the hackers as well, though.



Oh that is an awesome read. Thank you for this.
Tharos
New User
New User
 
Posts: 18
Joined: Mon Jan 04, 2010 2:11 am
Blog: View Blog (0)


Re: A hypothetical

Post by fashizzlepop on Sun Feb 23, 2014 4:15 pm
([msg=79607]see Re: A hypothetical[/msg])

Excellent link. Quite fun to read this guy's stories.
The glass is neither half-full nor half-empty; it's merely twice as big as it needs to be.
User avatar
fashizzlepop
Developer
Developer
 
Posts: 2303
Joined: Sat May 24, 2008 1:20 pm
Blog: View Blog (0)



Return to General

Who is online

Users browsing this forum: No registered users and 0 guests